The card master: Why Max Butler crowned himself king of a global online fraud network

Butler had sketched out his plans on a pair of whiteboards in
his safe house: there were five English-language carding sites that
mattered in the underground -- four too many. He had spent weeks
infiltrating those competitors: ScandinavianCarding, TheVouched,
TalkCash, and his chief rival, DarkMarket, a UK site.

Butler's plan to muscle in on the other forums hadn't come from
the white-hat side of his personality. Butler the criminal wasn't
greedy, and he was doing brisk business on the criminal marketplace
he had set up in June 2005, CardersMarket.com. But the carding
scene was broken, and when Butler the white hat saw something
broken, he couldn't resist fixing it.

Ego played a role too. The whole carding world seemed to think
Iceman, the name Butler used as a forum administrator, was bankrupt
of any skill except the ability to set up forum software. Butler
saw an opportunity to show the carders how wrong they were.
DarkMarket turned out to be an unguarded spot. A British carder
called JiLsi ran the site, and he'd made the mistake of choosing
the same password -- "MSR206" -- everywhere, including
CardersMarket, where Butler knew everyone's passwords. Butler could
just walk in and take over. TheVouched, on the other hand, was a
fortress -- you couldn't even connect to the website without a
privately issued digital certificate installed in your browser.
Fortunately, JiLsi was also a member of that site, and he had
moderator privileges there. Butler found a copy of the certificate
in one of JiLsi's webmail accounts, protected by the carder's usual
password. From there, it was just a matter of logging in as JiLsi
and leveraging his access to get at the entire database.

On TalkCash and ScandinavianCarding, Butler determined that the
forum software's search function was vulnerable to a structured
query language (SQL) attack. Code is injected and exploits security
vulnerability in the database. SQL injection is a standard weapon
in every hacker's arsenal -- the holes, even today, plague every
type of website, from ecommerce to banking.

Butler slid into the sites through the holes he'd secretly
blasted in their ramparts, using his illicit admin access to copy
their databases. Most carders wanted to avoid attention, not thrust
themselves into prominence. A hostile takeover was unprecedented.
When he was done with the English-speaking sites, Butler went to
eastern Europe. He found CardingWorld.cc and Mazafaka.cc no more
secure than the western boards and was soon downloading their
databases of private messages and forums posts. Megabytes of
Cyrillic flowed on to his computer, a secret history of scams and
hacks against the West stretching back months, now permanently
warehoused on Butler's hard drive in San Francisco's Tenderloin
district.

When he was finished, he executed the DROP command on all the
sites' databases, wiping them out. ScandinavianCarding, TheVouched,
TalkCash, Darkmarket, CardingWorld -- the bustling, 24-hour-a-day
marketplaces supporting a billion-dollar global underground economy
all winked out of existence. Ten thousand criminals around the
world, men with six-figure deals in the works, wives, children and
mistresses to support, cops to buy off, mortgages to pay, debts to
satisfy and orders to fill were, in an instant, blind.

Adrift. Losing money. They would all know the name Iceman.

As the morning dawned in San Francisco, he watched
CardersMarket's new members gather, confused and angry, on his
consolidated crime forum. Matrix001, a German DarkMarket
administrator, demanded an explanation for Iceman's actions. A
previously taciturn spam king named Master Splyntr spoke up to
criticise the organisation of the material Iceman had stolen from
the other boards.

There was just one black mark on Butler's triumph: DarkMarket.
His chief competitor had backups, and managed to crawl back to life
within days. It was a slap in the face to everything Butler was
trying to achieve for himself and the community. But DarkMarket
wasn't what it seemed: the site had been infiltrated by Keith
Mularski, an FBI agent, as part of an undercover operation. Calling
himself Master Splynter, Mularski was masquerading as a Polish
spammer. Butler could see what was coming. With an FBI agent at the
helm, DarkMarket was going to put a lot of carders in prison.
Butler attempted to prove that Master Splynter was a Fed, but was
unable to convince any of the other users.